[Unit]
Description=Reconfigure memlockd depending on running kernel
Documentation=https://tails.boum.org/contribute/design/memory_erasure/
Before=memlockd.service

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/tails-reconfigure-memlockd
RemainAfterExit=yes
CapabilityBoundingSet=
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=yes

[Install]
WantedBy=multi-user.target
